Responding to a security event is all about identifying threats early and taking appropriate action. There are two parts to responding to a security event or indicator, preparation (referred to as left-of-boom) and the response following a potential attack (right-of-boom).
Preparing for a Security Event: Left-of-Boom
Left of Boom refers to everything that happens before a major security incident. It includes preparation, such as:
- Creating and practicing an incident response plan (IRP)
- Regular tabletop exercises
- Proper training for employees
- Ensuring systems are in place to detect potential threats
The goal here is to identify and stop threats before they escalate.
Creating the Right Incident Response Team
The size and structure of your organization will determine the makeup of your incident response team (IRT). For smaller organizations, this may include:
- IT director
- General counsel
- CFO
Larger organizations with a Security Operations Center (SOC), might involve:
- The CISO
- The CIO
- General counsel
- Specialized external teams
Responding to a Security Indicator: Right-of-Boom
Right of Boom is when a security indicator has occurred, and the organization must respond. Security indicators can refer to technical alerts such as unauthorized access attempts or unusual system behavior, or they can refer to a report from a person. Companies that can spot these indicators early can respond more effectively. Once a threat is verified, the (Incident Response Plan) IRP kicks in, guiding the team through the process of addressing the issue.
Key Elements of an Effective Incident Response Plan
A strong incident response plan should be:
- Clear: The plan needs to be straightforward and easy to follow, with specific roles and responsibilities outlined.
- Current: Ensure contact lists, insurance details, and policies are up to date.
- Well-practiced: Regularly conduct drills and simulations to ensure everyone knows their role and can act quickly during a crisis.
A well-implemented incident response plan minimizes damage, speeds up recovery, and helps organizations meet legal and regulatory requirements, such as notifying the proper authorities or stakeholders within specific timelines.
Involving External Support
Having the right external support is crucial. This might include legal counsel to ensure proper handling of incidents and maintain confidentiality under legal privilege, as well as insurance brokers and forensic teams who specialize in cyber incidents. Having these experts in place before an incident occurs ensures a smoother response when it happens.
The Role of Legal and Insurance
Legal involvement is important for two reasons:
- Specialization: Cybersecurity law is complex, and specialized attorneys can navigate the legal landscape effectively.
- Privilege: If legal counsel hires forensic and recovery teams, the investigation can be conducted under attorney-client privilege, helping protect sensitive information from future lawsuits.
Similarly, knowing your insurance policy details, including timelines for reporting incidents, ensures you don’t miss critical deadlines that could void your coverage.
Managed Service Providers vs. Forensics
It’s important to differentiate between your managed service provider (MSP) and your forensic team. While the MSP handles day-to-day IT operations, an independent forensic team should investigate incidents to avoid conflicts of interest and ensure a thorough review. Having a second set of eyes is critical in case the MSP was part of the problem.
Managing security indicators requires preparation and an effective incident response plan. Organizations that prepare properly—through regular training, involving external experts, and ensuring their IRP is current—are better equipped to handle security incidents quickly and minimize damage.
Create Your First Real Security Incident Response Plan
Talk to Aldridge today to help you assess your ransomware risk, build a response plan, and walk through the scenarios that matter most to your business. Take advantage of our free Security Incident Response Template to help your team get started.
Let’s make sure you’re ready for whatever comes next.
